ANOTHER LOOK AT TIGHTNESS II: PRACTICAL ISSUES IN CRYPTOGRAPHY SANJIT CHATTERJEE, NEAL KOBLITZ, ALFRED MENEZES, AND PALASH SARKAR Abstract. How to deal with large tightness gaps in security proofs is a vexing issue in cryptography. Even when analyzing protocols that are of practical importance, leading researchers often fail to treat this question with the seriousness that it deserves. We discuss nontightness in connection with complexity leveraging, HMAC, lattice-based cryptography, identity-based encryption, and hybrid encryption. 1. Introduction The purpose of this paper is to address practicality issues in cryptography that are related to nontight security reductions. A typical security reduction (often called a “proof of security”) for a protocol has the following form: A certain mathematical task reduces to the task of successfully mounting a certain class of attacks on the protocolP — that is, of being aQ successful adversary in a certain security model. More precisely, the security reduction is an algorithm for solving the mathematical problem that has access to a hypothetical oracle for R. If the oracle takes time at most T andP is successful with probability at least ǫ (hereQ T and ǫ are functions of the security parameter k), then R solves in time at most T ′ with probability at least ǫ′ (where again T ′ and ǫ′ are functions of k).P We call (T ǫ)/(Tǫ ) the tightness gap. The reduction is said to be tight if the ′ ′ R tightness gap is 1 (or is small); otherwise it is nontight. Usually T ′ T and ǫ′ ǫ in a tight reduction. ≈ ≈ A tight security reduction is often very useful in establishing confidence in a protocol. As long as one is not worried about attacks that lie outside the security model (such as side- channel attacks, duplicate-signature key selection attacks, or multi-user attacks [59]), one is guaranteed that the adversary’s task is at least as hard as solving a certain well-studied mathematical problem (such as integer factorization) or finding a better-than-random way to predict output bits from a standardized primitive (such as AES). The usefulness of a nontight security reduction is more controversial. If, for example, 40 40 the tightness gap is 2 , then one is guaranteed that the adversary’s task is at least 2− times as hard as solving the mathematical problem or compromising AES. Opinions about whether nontightness is a cause of concern depend on how much importance one attaches to quantitative guarantees. In his paper [11] explaining practice-oriented provable security, Bellare writes: Practice-oriented provable security attempts to explicitly capture the in- herently quantitative nature of security, via a concrete or exact treatment Date: 20 April 2016; updated on 25 August 2016. 1 2 SANJIT CHATTERJEE, NEAL KOBLITZ, ALFRED MENEZES, AND PALASH SARKAR of security.... This enables a protocol designer to know exactly how much security he/she gets. (emphasis in original) In contrast, some researchers minimize the importance of quantitative security and object strongly when someone criticizes a practice-oriented provable security result for giving a useless concrete security bound. For example, an anonymous reviewer of [57] defended the nonuniform proof in [12], acknowledging that its nonuniformity “reduces the quantitative guarantees” but then stating: Many proofs do not yield tight bounds, but they still are powerful qualitative indicators of security. This reviewer characterized the use of the word “flaw” in [57] in reference to a fallacious analysis and erroneous statement of quantitative guarantees as “misleading” and “offensive,” presumably because the “qualitative indicators” in [12] were still valid. What makes the nontightness question particularly sensitive is that cryptographers are supposed to be cautious and conservative in their recommendations, and sources of uncer- tainty and vulnerability are not supposed to be swept under the rug. In particular, one should always keep in mind the possibility of what Menezes in [68] calls the nightmare sce- nario — that there actually is an attack on the protocol that is reflected in the tightness gap. In [27] the authors presented attacks on MAC schemes in the multi-user setting — attacks that are possible because the natural security reduction relating the multi-user setting to the single-user setting is nontight. Similar attacks on protocols in the multi-user setting were given for a network authentication protocol, aggregate MAC schemes, authenticated encryption schemes, disk encryption schemes, and stream ciphers. In Appendix B we describe the attacks of Zaverucha [83] on hybrid encryption in the multi-user setting. In 5 we describe another situation where the tightness gap reflects the fact that there’s an actual§ attack, in this case due to Pietrzak [75, 40]. A practical issue that is closely related to the nontightness question is the matter of safety margins. There are at least two kinds of safety margins: (1) parameter sizes that give significantly more bits of security than are currently needed, and (2) “optional” features in a protocol that are believed (sometimes because of tradition and “instinct” rather than any rigorous security argument) to help prevent new attacks or attacks that are outside the commonly used security models. At present it is widely agreed that it is prudent to have at least 128 bits of security.1 Why not 96? In the near future it is unlikely that anyone (even the NSA) will expend 296 operations to break a protocol. The reason for insisting on 128 bits of security is that one should anticipate incremental improvements in cryptanalytic attacks on the underlying mathematical problem that will knock several bits off the security level. If nontightness has already reduced the security assurance provided by the proof from 128 to 96 bits (and if the parameter sizes have not been increased so as to restore 128 bits of security), then even relatively small advances in attacking the mathematical problem will bring the security assurance further down to a level where a successful attack on the protocol is feasible in principle. 1By “k bits of security” we mean that there is good reason to believe that, if a successful attack (of a specified type) takes time T and has success probability ǫ, then T/ǫ > 2k. ANOTHER LOOK AT TIGHTNESS II 3 A common explanation of the value of security proofs is that features that are not needed in the proof can be dropped from the protocol. For instance, Katz and Lindell make this point in the introduction to [49]. However, in Appendix B (see also 5 of [59]) we shall find that optional features included in protocols often thwart attacks that§ would otherwise reduce the true security level considerably. On the one hand, there is widespread agreement that tight proofs are preferable to nontight ones, many authors have worked hard to replace nontight proofs with tighter proofs when possible, and most published security reductions duly inform the reader when there is a large tightness gap. On the other hand, authors of papers that analyze protocols that are of practical importance almost never suggest larger parameters that compensate for the tightness gap. Presumably the reason is that they would have to sacrifice efficiency. As Bellare says [11], A weak reduction means that to get the same level of security in our protocol we must use larger keys for the underlying atomic primitive, and this means slower protocols. Indeed, many standardized protocols were chosen in part because of security “proofs” in- volving highly nontight security reductions. Nevertheless, we are not aware of a single protocol that has been standardized or deployed with larger parameters that properly ac- count for the tightness gaps. Thus, acknowledgment of the nontightness problem remains on the level of lip service. In 3-7 we discuss nontightness in connection with complexity leveraging, HMAC, lattice- based§§ cryptography, and identity-based encryption; in Appendix B we discuss Zaverucha’s results on nontightness in security proofs for hybrid encryption in the multi-user setting. In the case of HMAC, in view of the recent work [57, 40] on the huge tightness gaps in pseu- dorandomness results, in 5 we recommend that standards bodies reexamine the security of HMAC when used for non-MAC§ purposes (such as key derivation or passwords) or with MD5 or SHA1. 2. An Important Caveat In our view, any scientific work that makes ambitious claims of practical importance needs to be examined carefully and critically. One should not be blinded by hype or wishful thinking, or by the authors’ impressive credentials. In an interdisciplinary field such as cryptography, where mistakes can be devastating, it is important to welcome the commen- tary of people with a variety of backgrounds — mathematicians, engineers, and hackers, as well as computer scientists. However, an important caveat must be made. It is not right to trash work that contains elegant ideas and makes no claim to have practical applications in the foreseeable future. The proof of Fermat’s Last Theorem in 1995 was rightly regarded as a major achievement of human thought. Closer to our field, work on the oracle-complexity of factoring, first by Rivest and later by Maurer, was elegant and compelling. It would be anti-intellectual and philistine to ridicule this type of work because it has no known applications outside of theory.2 (See [54] for a discussion of this type of philistinism.) 2In the trip-report [71] about Eurocrypt 1992, the NSA author makes fun of Maurer’s results with sarcastic humor. 4 SANJIT CHATTERJEE, NEAL KOBLITZ, ALFRED MENEZES, AND PALASH SARKAR One of the negative consequences of the anti-intellectualism that is so prevalent in the United States and some other countries is that in grant applications and elsewhere theoret- ical mathematicians have sometimes exaggerated or even fabricated a connection between their research and cryptography.